VPN
=Elements of IPSec VPN= *RFC 4301 **IKE v1/v2 ***IKE V1 - RFC 2408 - has two phases ***IKE V2 - RFC 4306 - has 2-5 messages in a basic exchange and no concept of phases. Instead it creates Parent SA's and then Child SAs. **AH ***IP Protocol 51 **ESP ***RFC 4303 ***IP Protocol 50 =Elements of SSL VPN= *Developed in 1994 by Netscape *IETF enhanced and renamed TLS *Desinged to authenticate the server to the client using X.509 certificates *Optionally authenticate the client to the server *Select Crypto Algorithms *Establish a Protected Tunnel Cisco AnyConnect 3.0 *Deploy from ASA or from SMS (software management system) *Customizable and translatable *Built with modules: **Networks Access Manager **Posture Assessment **Telemetry (IronPort) **Web Security (IronPort) **DART (Diagnostic and Reporting Tool) **SBL (Start Before Login) *Support via IKEv2 and considered to be an "all-in-one" VPN client solution ASA VPN Capabilities Feature Interaction *Cisco ASA security appliance uses a stateful packet filtering engine that supports AIC which may effect VPN traffic. *Network traffic crossing the firewall is controlled using many methods that can also interact with the VPN connectivity: **Interface security levels **IP routing **Interface ACLs and Global ACLs. **Service policies (configured through Cisco MPF) **Security service modules **Optionally, NAT **DNS VPN - L2L ASA to IOS Router IKEv1 Phase 1 - Main mode 6 and Aggressive mode 3 On the ASA crypto ikev1 enable outside crypto ikev1 policy 10 authentication pre-share encryption aes-256 group 2 hash sha tunnel-group 12.1.12.3 type ipsec-l2l tunnel-group 12.1.12.3 ipsec-attributes ikev1 pre-shared-key keykey On the Router crypto isakmp policy 10 authentication pre-share encryption aes 256 group 2 hash sha crypto isakmp key 0 keykey address 12.1.12.4 IKEv1 Phase 2 - Proxy ID exchange, Tunnel ESP Header mode & Transport mode with quick 3 On the ASA crypto ipsec ikev1 transform-set T-set_to_Router esp-aes-256 esp-md5-hmac access-list VPN_TO_ROUTER extended permit ip 10.0.1.0 255.255.255.0 192.168.0.0 255.255.255.0 On the Router crypto ipsec transform-set T-set_to_ASA esp-aes 256 esp-md5-hmac ip access-list extended VPN_TO_ASA permit ip 192.168.0.0 255.255.255.0 10.0.1.0 255.255.255.0 Crypto Map and Interface Assignment On the ASA crypto map VPN 10 match address VPN_TO_ROUTER crypto map VPN 10 set peer 12.1.12.3 crypto map VPN 10 set transform-set T-set_to_Router crypto map VPN interface outside sysopt connection permit-vpn On the Router crypto map VPN 10 ipsec-isakmp match address VPN_TO_ASA set transform-set T-set_to_ASA set peer 12.1.12.4 interface fa0/0 crypto map VPN VPN commands for the ASA crypto ikev1 enable outside crypto ikev1 policy 10 authentication pre-share encryption aes-256 group 2 hash sha tunnel-group 12.1.12.3 type ipsec-l2l tunnel-group 12.1.12.3 ipsec-attributes ikev1 pre-shared-key keykey crypto ipsec ikev1 transform-set T-set_to_Router esp-aes-256 esp-md5-hmac access-list VPN_TO_ROUTER extended permit ip 10.0.1.0 255.255.255.0 192.168.0.0 255.255.255.0 crypto map VPN 10 match address VPN_TO_ROUTER crypto map VPN 10 set peer 12.1.12.3 crypto map VPN 10 set transform-set T-set_to_Router crypto map VPN interface outside sysopt connection permit-vpn VPN commands for the Router crypto isakmp policy 10 authentication pre-share encryption aes 256 group 2 hash sha crypto isakmp key 0 keykey address 12.1.12.4 crypto ipsec transform-set T-set_to_ASA esp-aes 256 esp-md5-hmac ip access-list extended VPN_TO_ASA permit ip 192.168.0.0 255.255.255.0 10.0.1.0 255.255.255.0 crypto map VPN 10 ipsec-isakmp match address VPN_TO_ASA set transform-set T-set_to_ASA set peer 12.1.12.4 interface fa0/0 crypto map VPN crypto isakmp policy 10 encryption 3des authentication pre-share hash md5 group 2 ! crypto isakmp key cisco address 1.1.1.1 ! crypto ipsec transform-set T_SET esp-3des esp-md5-hmac ! ip access-list extended VLAN2_TO_VLAN3 permit ip 2.2.2.0 0.0.0.255 3.3.3.0 0.0.0.255 ! crypto map VPN ipsec-isakmp set peer 1.1.1.1 set transform-set T_SET match address ! interface fa 0/0 crypto map VPN =Remote Access VPN= IKEv2 AnyConnect *RA VPN with IKEv1 uses legacy Cisco ISec client - ISAKMP used for negotiation *RA VPN with IKEv2 uses Cisco AnyConnect client - still uses SSL VPN for profile updates etc... *Cisco's direction is the use of IKEv2 IKEv2 policies are modified in the 'AnyConnect Connection Profiles' and not the 'IPsec(IKEv1) Connection Profiles.' =PKI Architecture= Peer Authentication *How do we authenticate a peer in a VPN connection? **Pre-shared keys **Digital Certificates What PKI Provides *PKI provides a stronger peer authentication as compared to weak pre-shared keys *New issues arise when we use a PKI infrastructure **Peers need the public key of the other site before it works ***How do we exchange those keys? ***How do we trust the information that was exchanged? How Keys are Used *In a key-pair we have a public and a private key *Nobody gets my private key, but if you have my public key you can verify something I have signed with my private key (Authentication) *If you encrypt something with a public key, only my private key can reverse that process (Encryption) Manual Key Exchange *We exchange public keys, then call each other and read back the fingerprint *Not scalable In Terms of Life *If I know Bob and Bob knows you, he might introduce us and we may trust each other because we trusted the introducer *This is the start of the PKI concept *The CA Server is Bob *We both trust the CA *This makes it more scalable **The CA is the central trusted introducer **The CA signs everyone's public key with its private key **So to read the signature we need the public key of the CA (Authentication) **The signed public keys are called Identity Certificates **These ID Certs can be revoked On the ASA *We can install an identity cert on the ASA **Cert can be self signed or obtained from a CA **The default cert is regenerated every time the ASA boots so don't save it *When enrolling with a CA Server we can use a manual enrollment or use the Simple Certificate Enrollment Protocol (SCEP) CA Servers *The CA Server you choose may vary as there are many available **Microsoft has a CA built into Windows Server **The ASA can act as a CA Server **A Cisco IOS router can act as a CA Server **You may have to pay for the CA **Some are subscription based On the Client *The client can enroll with a CA in the following ways: **Using the ASA as a CA server **Using an external CA server **Using a CA server behind the ASA with ACLs allowing enrollment **Using a CA server behnd the ASA with SCEP proxy